Industry will work with government on cyberspace plan

By Wilson P. Dizard III, William Jackson

Feb 14, 2003

The White House today unveiled its National Strategy to Secure Cyberspace, detailing dozens of steps for industry and government to take to fend off and recover from assaults on the nation's critical systems.

The plan's five priorities are:

A national cyberspace security response system

A threat and vulnerability reduction program

A security awareness and training program

A plan to secure governments' cyberspace

An approach to intelligence agency and international cybersecurity.

Seeded throughout were dozens of recommendations to the private sector to raise its awareness of threats, train its systems employees, evaluate the security of applications and form ties with the government for joint action.

The plan also called for specific federal actions, the first of which is to set up a 24-hour, seven-day contact point in the Homeland Security Department for federal interactions with industry and other partners. And it called for exercises to evaluate the impact of cyberattacks and pinpoint weaknesses for correction.

At a DHS briefing today, Howard Schmidt, acting director of the White House's Critical Infrastructure Protection Board, said, "We have had a number of exercises across the Pentagon and in civilian agencies."

He said agencies have begun to simulate cyberattacks with state and local governments as well.

The plan put the Justice Department and other agencies in charge of improving information sharing, investigative tools and cybercrime research. It said the General Services Administration and DHS will continue to cooperate on a federal software patch clearinghouse and work with the private sector on a similar clearinghouse.

Federal agencies were told to tighten security measures, expand their use of security assessment tools and install applications to check continuously for unauthorized network connections. The plan said the government will also review the National Information Assurance Partnership to assess whether it is properly dealing with security flaws in commercial software.

It further said the government will consider licensing or certifying private security service providers for minimum capabilities, "including the extent to which they are adequately independent." Schmidt said such providers need to be shown as trustworthy.

In the international arena, the plan noted that the U.S. government will not necessarily limit its response to cyberattacks to criminal prosecution and it "reserves the right to respond in an appropriate manner." That mirrors the government's pursuit of al-Quaida, which has been carried out partly by legal prosecution and partly by warfare.

It called for building North America into a "cyber safe zone" with the cooperation of Canadian and Mexican public and private sectors.

DHS secretary Tom Ridge introduced the plan, together with the National Strategy for the Physical Protection of Critical Infrastructures and Key Assets, during a press conference at the department's heavily guarded headquarters in Washington.

Ridge said the reports on computer and physical infrastructure would "serve as road maps to help government and business" act in harmony.

Mario Correa, director of Internet and network security policy for the Business Software Alliance, called the final version of the plan "more focused and goal-oriented' than earlier draft versions.

"What is critical is for Congress to step up to the plate and provide the resources to implement the strategy,' Correa said.

Dan Burton, vice president of government affairs at Entrust Inc. of Dallas, said, "It's much the same as the previous version," but the fact that it exists is good. "The key is execution, and that is what we have to look to next," Burton said.

Also today, President Bush spoke at the FBI about the Terrorist Threat Integration Center announced in his recent State of the Union address. He said the FBI is expanding the terrorist identification system to give local jurisdictions access to terrorist threat information. Bush also said he has requested $500 million in additional funds for training, preparedness equipment and technical assistance to state and local law enforcement.